def Run(self, args):
    client = cloudkms_base.GetClientInstance()
    messages = cloudkms_base.GetMessagesModule()
    import_job_name = flags.ParseImportJobName(args).RelativeName()

    if bool(args.rsa_aes_wrapped_key_file) == bool(args.target_key_file):
      raise exceptions.OneOfArgumentsRequiredException(
          ('--target-key-file', '--rsa-aes-wrapped-key-file'),
          'Either a pre-wrapped key or a key to be wrapped must be provided.')

    rsa_aes_wrapped_key_bytes = None
    if args.rsa_aes_wrapped_key_file:
      try:
        # This should be less than 64KiB.
        rsa_aes_wrapped_key_bytes = self._ReadFile(
            args.rsa_aes_wrapped_key_file, max_bytes=65536)
      except files.Error as e:
        raise exceptions.BadFileException(
            'Failed to read rsa_aes_wrapped_key_file [{0}]: {1}'.format(
                args.wrapped_target_key_file, e))

    if args.target_key_file:
      public_key_bytes = self._ReadOrFetchPublicKeyBytes(args, import_job_name)
      target_key_bytes = None
      try:
        # This should be less than 64KiB.
        target_key_bytes = self._ReadFile(
            args.target_key_file, max_bytes=8192)
      except files.Error as e:
        raise exceptions.BadFileException(
            'Failed to read target key file [{0}]: {1}'.format(
                args.target_key_file, e))
      rsa_aes_wrapped_key_bytes = self._CkmRsaAesKeyWrap(public_key_bytes,
                                                         target_key_bytes)

    # Send the request to KMS.
    req = messages.CloudkmsProjectsLocationsKeyRingsCryptoKeysCryptoKeyVersionsImportRequest(  # pylint: disable=line-too-long
        parent=flags.ParseCryptoKeyName(args).RelativeName())
    req.importCryptoKeyVersionRequest = messages.ImportCryptoKeyVersionRequest(
        algorithm=maps.ALGORITHM_MAPPER_FOR_IMPORT.GetEnumForChoice(
            args.algorithm),
        importJob=import_job_name,
        rsaAesWrappedKey=rsa_aes_wrapped_key_bytes)

    if args.version:
      req.importCryptoKeyVersionRequest.cryptoKeyVersion = flags.ParseCryptoKeyVersionName(
          args).RelativeName()

    return client.projects_locations_keyRings_cryptoKeys_cryptoKeyVersions.Import(
        req)
Exemplo n.º 2
0
  def Run(self, args):
    client = cloudkms_base.GetClientInstance()
    messages = cloudkms_base.GetMessagesModule()

    import_job_ref = flags.ParseImportJobName(args)
    if not import_job_ref.Name():
      raise exceptions.InvalidArgumentException(
          'import_job', 'import job id must be non-empty.')
    import_job = client.projects_locations_keyRings_importJobs.Get(  # pylint: disable=line-too-long
        messages.CloudkmsProjectsLocationsKeyRingsImportJobsGetRequest(
            name=import_job_ref.RelativeName()))

    # Raise exception if --attestation-file is provided for software
    # import jobs.
    if (args.attestation_file and import_job.protectionLevel !=
        messages.ImportJob.ProtectionLevelValueValuesEnum.HSM):
      raise exceptions.ToolException(
          'Attestations are only available for HSM import jobs.')

    if (args.attestation_file and import_job.state == messages.ImportJob
        .StateValueValuesEnum.PENDING_GENERATION):
      raise exceptions.ToolException(
          'The attestation is unavailable until the import job is generated.')

    if args.attestation_file and import_job.attestation is not None:
      try:
        log.WriteToFileOrStdout(
            args.attestation_file,
            import_job.attestation.content,
            overwrite=True,
            binary=True)
      except files.Error as e:
        raise exceptions.BadFileException(e)

    if import_job.attestation is not None:
      # Suppress the attestation content in the printed output. Users can use
      # --attestation-file to obtain it, instead.
      import_job.attestation.content = None

    return import_job
Exemplo n.º 3
0
  def _CreateRequest(self, args):
    messages = cloudkms_base.GetMessagesModule()

    if not args.protection_level:
      raise exceptions.ToolException(
          "--protection-level needs to be specified when creating an import job"
      )

    if not args.import_method:
      raise exceptions.ToolException(
          "--import-method needs to be specified when creating an import job")

    import_job_ref = flags.ParseImportJobName(args)
    parent_ref = flags.ParseParentFromResource(import_job_ref)

    return messages.CloudkmsProjectsLocationsKeyRingsImportJobsCreateRequest(
        parent=parent_ref.RelativeName(),
        importJobId=import_job_ref.Name(),
        importJob=messages.ImportJob(
            protectionLevel=maps.IMPORT_PROTECTION_LEVEL_MAPPER
            .GetEnumForChoice(args.protection_level),
            importMethod=maps.IMPORT_METHOD_MAPPER.GetEnumForChoice(
                args.import_method)))